#!/bin/bash

set -o pipefail

log-debug "creating registration entry for downstream workload..."
docker compose exec -T downstream-spire-server \
    /opt/spire/bin/spire-server entry create \
    -parentID "spiffe://downstream-domain.test/spire/agent/x509pop/$(fingerprint conf/downstream/agent/agent.crt.pem)" \
    -spiffeID "spiffe://downstream-domain.test/downstream-workload" \
    -selector "unix:uid:0" \
    -federatesWith "spiffe://upstream-domain.test" \
    -x509SVIDTTL 0

log-debug "creating registration entry for upstream workload..."
docker compose exec -T upstream-spire-server \
    /opt/spire/bin/spire-server entry create \
    -parentID "spiffe://upstream-domain.test/spire/agent/x509pop/$(fingerprint conf/upstream/agent/agent.crt.pem)" \
    -spiffeID "spiffe://upstream-domain.test/upstream-workload" \
    -selector "unix:uid:0" \
    -federatesWith "spiffe://downstream-domain.test" \
    -x509SVIDTTL 0
